Submission Details
Impact:
Likelihood:
## [M-2] `_safeMint()` Allows Malicious Contract to Block Raffle
Root + Impact
Description
The
selectWinner()function is intended to mint an NFT to the winner after distributing the prize poolThe function uses
_safeMint()which callsonERC721Received()on the recipient if it's a contract; a malicious contract can revert this call
delete players;
raffleStartTime = block.timestamp;
previousWinner = winner;
(bool success,) = winner.call{value: prizePool}("");
require(success, "PuppyRaffle: Failed to send prize pool to winner");
@> _safeMint(winner, tokenId); // Reverts if winner contract doesn't implement onERC721Received
Risk
Likelihood:
Requires a smart contract to win the raffle
Attacker must predict/manipulate winner selection (see H-2)
Impact:
Entire transaction reverts, raffle cannot complete
Players array is not reset, so raffle is stuck
All player funds remain locked until issue is resolved
Proof of Concept
contract MaliciousWinner {
// No onERC721Received implementation
// OR explicitly revert:
function onERC721Received(address, address, uint256, bytes calldata) external pure returns (bytes4) {
revert("Blocking raffle");
}
}
Recommended Mitigation
- _safeMint(winner, tokenId);
+ _mint(winner, tokenId);
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.